Wrong method used to access form based api_key in request body

Created on 20 October 2021, about 3 years ago
Updated 25 March 2024, 9 months ago

Problem/Motivation

This purpose of the module is to check if a http-request contains an api_key which is assigned to a drupal-user. The API Key can be included as a query parameter, as http-header or as parameter in the body of the http message.

When testing a http POST request with content-type application/x-www-form-urlencoded, like below, it is not possible to parse the api key from the request body.

POST /georeport/v2/requests.xml
Content-Type: application/x-www-form-urlencoded

foor=bar&api_key=abcdef123

Steps to reproduce

if you add the API Key as a query parameter to a request, the current code parses the query parameter as form_api_key

<?php
    $form_api_key = $request->get('api_key');
    if (!empty($form_api_key)) {
      return $form_api_key;
    }

The actual check is never reached:

   $query_api_key = $request->query->get('api_key');
    if (!empty($query_api_key)) {
      return $query_api_key;
    }

Proposed resolution

Apply a fix to parse the \Symfony\Component\HttpFoundation\Request $request object correctly. The method to access the form encoded api key is $request->request->get('api_key');

Remaining tasks

-

User interface changes

-

API changes

-

Data model changes

-

🐛 Bug report
Status

Fixed

Version

3.0

Component

Code

Created by

🇩🇪Germany markaspot

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Comments & Activities

Not all content is available!

It's likely this issue predates Contrib.social: some issue and comment data are missing.

Production build 0.71.5 2024